TWiTIoT: This Week in The Internet of Things – IoT Cybersecurity? What IoT Cybersecurity?

Greetings, and welcome. This week, a decade-old security flaw threatens nearly a half-billion IoT devices, while hackers use other long-known vulnerabilities to enslave thousands of IoT and other connected devices. What are we doing about IoT cybersecurity? As always, your thoughts, reactions, and suggestions welcome. Just send a quick email to medortch@dortchonit.com. And for more on the IoT and IIoT, check out “DortchOnIT’s Industrial Internet of Things (IIoT) Weekly.” Thanks.

Report: 10-Year-Old Vulnerability Threatens 496 Million IoT Devices

What Happened:A provider of IoT cybersecurity solutions for enterprises released a report that found almost a half-billion connected devices vulnerable to a security flaw first disclosed in 2008.

As CRNreported, this new warning comes from enterprise IoT security solution vendor Armis. In September 2017, as CRN then reported, the company identified a Bluetooth vulnerability that exposed more than 5 billion devices to attack. Armis claimed some 40 percent of these are IoT devices difficult or impossible to patch or update.

The latest Armis report claims nearly a half-billion IoT devices are vulnerable to attack via “DNS rebinding, an attack first disclosed at the RSA Conference in 2008.” An attacker gains access to a user’s web browser “through a malicious link enclosed within an email, banner ad or another source.” The technique then “allows an attacker to bypass a network firewall and use a victim’s web browser to access other devices on the network.”

The resulting damage can be quick and widespread. A successful attack via DNS rebinding “can leave devices susceptible to data exfiltration, compromise and hijacking, the latter of which could lead to a botnet attack similar to the Mirai malware that took down major websites in 2016.” That attack used a huge botnet of IoT devices to flood servers that manage internet addresses with meaningless data and requests. It disabled thousands of web sites, including those of prominent businesses including Netflix and Twitter.

Botnets are networks of enslaved connected devices, created by malware that exploits a vulnerable network connection and propagates across that network. As ZDNetreported, botnets “can include standard PCs, routers, smartphones, and a more recent addition, the compromise of Internet of Things (IoT) devices ranging from smart lights to fridges.”

A new botnet created by a hacker known as “Anarchy” used a vulnerability first published in 2017 to compromise at least 18,000 network routers manufactured by China’s Huawei. The botnet took only 24 hours to create, and can remotely execute malicious code that attacks and enslaves other connected devices. Such botnets often target IoT devices, many of which use “hard-coded credentials” and can be compromised by “a simple scanner.”

Another botnet, known as “Death,” is successfully targeting devices manufactured by AVTech. As Security Affairsreported, the company is one of the world’s leading manufacturers of closed-circuit television (CCTV) cameras. The Death botnet exploits outdated firmware that exposes device passwords and enables attackers to add users to those devices. “AVTech rolled out security updates for the flaw at the beginning of 2017, but evidently many devices are still running old firmware.” And the alleged creator of Death reportedly plans to use it in “massive attacks” in the future.

What It Means:Even when IoT and other connected devices can be updated with software patches, and vendors release patches in response to threats, companies using those devices often do not implement those patches in a timely fashion. Malefactors can therefore successfully attack devices and the networks to which they connect by exploiting vulnerabilities for which patches have existed for years.

Michael Dortch

As an IT industry analyst, consultant, journalist, and marketer, Michael Dortch has been translating bits and bytes into dollars and sense for four decades. His areas of expertise include strategic content planning, development, and creation, core content execution, and social media and online community development and outreach. Michael has helped to launch new products, enable sales teams, influence influencers, and grow web site traffic, prospects, leads, and positive perceptions for companies large and small. He also enjoys cooking, eating, traveling, and singing.